Upload
vijraajeev5534
View
348
Download
14
Embed Size (px)
DESCRIPTION
fdgdfgfd
Citation preview
Choose from the alphabetic list below to learn about a method. See also Finding methods
by function. The Call, Branch, Collect, Java, Queue, and Rule operations are technically
"instructions", not methods. For information on these instructions, see:
BRANCH — Branching to another activity
CALL — Calling another activity
COLLECT — Begin execution of a collection rule
FLOW-NEW — Start a flow execution
JAVA — Using Java in an activity step
QUEUE — Execute another activity asynchronously
RULE — Using the Rule instruction to implement a custom rule type
A
Method Description
Activity-Clear-Status Reset the method status from the previous method.
Activity-End End the current activity and calling activities.
Activity-List-Add Add an activity to an internal dispatch list.
Activity-Set-Status Set a return value.
Apply-DataTransform Update property values based on a data transform rule.
Apply-Parse-Delimited Execute a Parse Delimited rule in an activity.
Apply-Parse-Structured
Execute a Parse Structured rule in an activity.
Apply-Parse-XML Execute a Parse XML rule in an activity.
Assert-No-Invocation Exclude this activity from invocation counting for license compliance.
C
Commit Commit all database changes in the Thread.
Connect-dotNet
Start a connector to a Web service based on the Microsoft .NET framework.
Connect-EJB Start a connector to an external Enterprise JavaBean.
Connect-File Start a connector to write to a file.
Connect-FTP Copy a file from one location to another using File Transfer Protocol
Connect-HTTP
Start a connector to an external system using HTTP.
Connect-Java Start a connector to call an external Java class or JavaBean.
Connect-JCA Start a connector to an external system through a JCA resource adapter.
Connect-JMS Start a connector to an external system using the Java Message Service application programmer interface.
Connect-MQ Start a connector for a WebSphere MQ connection.
Connect-SOAP
Start a connector to invoke a Web service.
Connect-Wait Block (pause) for a time interval to synchronize with a child requestor.
E F H L M
End-Validate End compilation of referencing rules, for a custom rule type.
Exit-Activity End the current activity.
Flow-End End a flow execution.
Flow-New Start a new flow execution.
History-Add Record your changes to work items or activities
History-List List instances of a class.
Link-Objects Link objects together.
Log-Message Add a message to the Pega log.
Map-Structured Parse or assemble a fixed format data structure.
O
Obj-Browse Search through and select instances of a class based on tests of values of exposed columns.
Obj-Delete Delete an instance from the database, or mark it for later deletion with the Commit method
Obj-Delete-By-Handle Delete an instance from the database (or mark it for later deletion) using the handle.
Obj-Filter Remove embedded pages of a Code-Pega-List results page that fail to meet criteria specified in a when condition rule.
Obj-List Search through instances of a class and extract selected properties.
Obj-List-View Execute the retrieval and sorting operations of a list view rule, but with no formatting or HTML display.
Obj-Open Open an instance stored in the PegaRULES database or in certain cases an external database.
Obj-Open-by-Handle Open an instance using a permanent unique key.
Obj-Refresh-and-Lock Open an instance and acquire a lock.
Obj-Save Save page data to the database, or mark it for saving (commit) later.
Obj-Save-Cancel Reverse a previous Obj-Save or Obj-Delete method, not yet committed to the database.
Obj-Set-Tickets Set or reset tickets, interrupting the normal sequential processing of a flow.
Obj-Sort Sort the values of a property of mode Page List.
Obj-Validate Run a Validate rule on a set of properties, typically representing user input.
P
Page-Change-Class Change the class of a page.
Page-Clear-Messages Remove page messages from the step page.
Page-Copy Copy contents of one page to another page
Page-Merge-Into Merge two or more pages into one page.
Page-New Create a page.
Page-Remove Delete a page from the clipboard.
Page-Rename Rename a page or name a primary page
Page-Set-Messages Associate a message with a page.
Page-Unlock Release a lock held after Commit.
Page-Validate Validates all properties on a page.
Parse-Byte-Pos Used only in Parse Structured rules.
Parse-Char-Pos Used only in Parse Structured rules.
Parse-Fixed-Binary Used only in Parse Structured rules.
Parse-Packed-Decimal Used only in Parse Structured rules.
Privilege-Check Determine whether a user or requestor has a specified privilege.
Property-Map-DecisionTable
Evaluate a decision table rule and assign the result to a property
Property-Map-DecisionTree Evaluate a decision tree rule and assign the result to a property.
Property-Map-Value Set the value of a property based on a one-dimensional map value rule.
Property-Map-ValuePair Set the value of a property based on a two-dimensional map value rule.
Property-Ref Link reference properties with non-reference properties.
Property-Remove Delete a property from a page.
Property-Seek-Value Use backward chaining to obtain a value.
Property-Set Set the value of one or more specified properties
Property-Set-Corr Save the contents of a correspondence stream as the value of a property.
Property-Set-HTML Save the contents of an HTML stream as the value of a property.
Property-Set-Messages Associate a literal text message with a property or a step page.
Property-Set-Stream Save the contents of a JSP, XML, or HTML stream as the value of a property.
Property-Set-XML Save the contents of an XML stream as the value of a property.
Property-Validate Apply an edit validate rule to test user input.
Q R
Queue-for-Agent Enqueue a System-Queue- derived clipboard page into the system queue for background processing.
RDB-Delete Delete an instance from a relational database.
RDB-List Retrieve rows from an external relational database.
RDB-Open Open an instance from an external relational database.
RDB-Save Save the contents of a clipboard page to a relational database.
Requestor-Stop Stop processing of the requestor.
Rollback Cancel any uncommitted database save operations.
S T W
Method Description
Show-HTML Assemble and send an HTML page to a user's browser.
Show-Page Send an XML representation of a page to the browser.
Show-Property Send a single property value to the browser.
Show-Stream Apply stream processing to a JSP, HTML, correspondence, or XML Stream rule.
Start-Validate Compile referencing rules for a custom rule type.
StringBuffer-Append
Manipulate string buffer containing local variables.
StringBuffer-Insert
Manipulate string buffer containing local variables.
StringBuffer-Reset
Manipulate string buffer containing local variables.
TaskStatus-Set Convey results of activity processing to a calling flow.
Text-Infer Evaluate a parse infer rule.
Text-Normalize Evaluate a parse normalize rule.
Thread-Clear Clear the thread page.
Wait Pause a Thread for a specified time interval.
Best Practice 2: Filter all inputs
Filter and validate input data as thoroughly as possible, including inputs submitted from
browser forms, inputs from service requests (such as email), and inputs from connector
responses. Prevent invalid data from entering a work object or a work object attachment.
Use the following features to validate individual values:
Strong types — For Single Value, Value List and Value Group properties, select the Property Type carefully. Use Integer, Double, Decimal, DateTime, Date, TimeofDay, and TrueFalsewhen appropriate (rather than Text, Password or Identifier). Special characters that are common in JavaScript code — such as quotes — can never appear in a numeric, date or time value, but may legitimately appear in Text, Password, or Identifier value.
White lists — Several features let you constrain a property value to one of a fixed list or pattern of values, including the property table edits (Local List, Field Values, Class Key values) on theGeneral tab in V5.5+ or the Table Edit tab in earlier releases.
Restrictions — Complete the Max Length field for Text, Password or Identifier fields. For example, it is difficult to fit a malicious JavaScript program into a small number of characters.
Not declarative —Select the Cannot be a Declarative Target check box if applicable. (This is a weak measure, but helpful; since a declarative expression could assemble a JavaScript source code.)
Special properties —Select the Cannot be included as an input field check box if the property is always computed from other values. (This also is a weak measure, but helpful.)
Validation — Identify an edit input rule and an edit validate rule when possible. Don't accept angle brackets, quotes, ampersand, or other special characters in fields unless necessary for a sound business reason For example, the standard validation rule isLetterorDigit limits values to hold only letters and digits. (On the V5.5 Property form, Max Length and validation fields appear on theAdvanced tab.)
Use map value rules, validation rules, and constraints rules to validate inputs.
To test arriving email attachments or other file attachments for software viruses and malicious JavaScripts, override the extension point activity Data-WorkAttach-File.CallVirusCheck with an activity that calls your third-party virus software. Your activity can call a Java class or (in a Microsoft Windows server) a Dynamic Linked Library routine.
Ensure that files uploaded from application user workstations, and text files processed by a file listener, are virus-checked.
Input filtering is worthwhile even if an application has 100% coverage of output filtering for
the HTML that the application sends to a browser. Applications often send output to other
systems — rather than to a browser — that could contain a malicious JavaScript function,
such as an HTML-rendered email message. Infecting another system — which may belong
to another department, to a customer, or to a supplier — is a security failure no less serious
than infecting an application user.
Do not disable this security feature.
Avoid use of the URL JSP tag in handcrafted stream rules. If you must use a URL tag, call the Safe URL JavaScript functions to obfuscate the URL query string.
Examples
Below are portions of hand-crafted stream rules that are modified to filter a value using
these two PublicAPI functions in an inline Java scriptlet:
Incorrect
<%tools.appendString(tools.getActiveValue()); %>
Correct
<%tools.appendString(StringUtils.crossScriptingFilter(tools.getActiveValue()));%>
or
<%tools.appendString(StringUtils.reversibleCrossScriptingFilter(tools.getActiveValue()));%>
Incorrect
<%tools.appendString(tools.getSaveValue("savename”)); %>
Correct
<pega:reference name=$save(savename) />
or
<%tools.appendString(StringUtils.crossScriptingFilter(tools.getSaveValue("savename”))); %>
or
<%tools.appendString(StringUtils.reversibleCrossScriptingFilter(tools.getSaveValue("savename”))); %>
Incorrect
<%tools.appendString(tools.getParamValue("paramname")); %>
Correct
<pega:reference name=param.paramname/>
or
<%tools.appendString(StringUtils.crossScriptingFilter(tools.getParamValue("paramname"))); %>
or
<% tools.appendString(StringUtils.reversibleCrossScriptingFilter(tools.getParamValue("paramname"))); %>